Cisco issues critical vulnerability alert for devices using WebVPN

Patched software has been issued

Cisco recently issued an urgent security advisory regarding devices configured with WebVPN. The vulnerability is in the Secure Sockets Layer (SSL) of Cisco Adaptive Security Appliance (ASA) devices. The company has labeled it a critical flaw with a CVSS score of 10 which is as high as the scale goes.

According to Cisco, “The vulnerability is due to an attempt to double free a region of memory when the WebVPN feature is enabled on the Cisco ASA device.”

WebVPN is a clientless virtual private network software that allows users to access corporate assets and intranets from any computer connected to the internet. Unfortunately, an attacker can use this feature to attack the devices on the network. By sending a series of XML packets to a WebVPN device, an attacker could cause systems to reload or crash, creating a denial of service or even execute remote code on the affected machine.

Cisco says there is no workaround for this vulnerability and that affected devices should apply the patch it has already issued. Cisco identified the following devices as being affected by the security hole:

Cisco also has instructions on how to identify and track down devices running the vulnerable version of the software in its alert post. If you are an administrator, it is advisable that you check your network for anything that might be running the unpatched software. The version of the Remote Access VPN program is identified as FTD 6.2.2.